BibTeX

Years of Citing Articles

Bookmark

OpenURL

Abstract

Abstract. MD5 is one of the most widely used cryptographic hash functions nowadays. It was designed in 1992 as an improvement of MD4, and its security was widely studied since then by several authors. The best known result so far was a semi free-start collision, in which the initial value of the hash function is replaced by a non-standard value, which is the result of the attack. In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collisions of MD5 in about 15 minutes up to an hour computation time. The attack is a differential attack, which unlike most differential attacks, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. We call this kind of differential a modular differential. An application of this attack to MD4 can find a collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 1

Citations

..., but also greatly improve the efficiency. Nowadays, there are two widely used hash functions – MD5 [18] and SHA-1 [12]. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 =-=[17]-=-. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers [3] found a kind of pseudo-collision for MD5 which consists of the same message with two different sets ...

...fferential attack which uses exclusive-or as the difference. The differential attack was introduced by E. Biham and A. Shamir to analyze the security of DES-like cryptosystems. E. Biham and A. Shamir =-=[1]-=-, described that differential cryptanalysis is a method which analyzes the effect of particular differences in plain text pairs on the differences of the resultant cipher text pairs. The differential ...

...ryptographic protocols. The use of hash functions in these applications not only ensure the security, but also greatly improve the efficiency. Nowadays, there are two widely used hash functions – MD5 =-=[18]-=- and SHA-1 [12]. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 [17]. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers [3] ...

...consists of two different 512-bit messages with a chosen initial value IV ′ 0. a0 = 0x12ac2375, b0 = 0x3b341042, c0 = 0x5f62b97c, d0 = 0x4ba763ed A general description of this attack was published in =-=[9]-=-. Although H. Dobbertin cannot provide a real collision of MD5, his attack reveals the weak avalanche for the full MD5. This provides a possibility to find a special differential with one iteration.sI...

... MD4, the attack can find a collision within less than a second, and can also find second pre-images for many messages. In Crypto’04 Eli Biham and Rafi Chen presented a near-collision attack on SHA-0 =-=[2]-=-, which follows the lines of the technique of [4]. In the rump session they described their new (and improved) results on SHA-0 and SHA-1 (including a multi-block technique and collisions of reduced S...

...otocols. The use of hash functions in these applications not only ensure the security, but also greatly improve the efficiency. Nowadays, there are two widely used hash functions – MD5 [18] and SHA-1 =-=[12]-=-. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 [17]. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers [3] found a kind of...

...2, a further (dropped) carry may happen, and then there is no negative sign in bit 32. It should be noted that the modular differential has been used earlier to analyze some hash functions ([4], [7], =-=[10]-=-). Compared with these attacks, our attack has the following advantages: 1. Our attack is to find collisions with two iterations, i. e., each message in the collision includes two message blocks (1024...

...ith two different sets of initial values. This attack discloses the weak avalanche in the most significant bit for all the chaining variables in MD5. In the rump session of Eurocrypt’96, H. Dobbertin =-=[8]-=- presented a semi free-start collision which consists of two different 512-bit messages with a chosen initial value IV ′ 0. a0 = 0x12ac2375, b0 = 0x3b341042, c0 = 0x5f62b97c, d0 = 0x4ba763ed A general...

...M1 ′ . Two such collisions of MD5 were made public in the Crypto’04 rump session [19]. This attack is applicable to many other hash functions as well, including MD4, HAVAL-128 and RIPEMD ([17], [20], =-=[15]-=-). In the case of MD4, the attack can find a collision within less than a second, and can also find second pre-images for many messages. In Crypto’04 Eli Biham and Rafi Chen presented a near-collision...

...1 and M1 ′ . Two such collisions of MD5 were made public in the Crypto’04 rump session [19]. This attack is applicable to many other hash functions as well, including MD4, HAVAL-128 and RIPEMD ([17], =-=[20]-=-, [15]). In the case of MD4, the attack can find a collision within less than a second, and can also find second pre-images for many messages. In Crypto’04 Eli Biham and Rafi Chen presented a near-col...

...ion they described their new (and improved) results on SHA-0 and SHA-1 (including a multi-block technique and collisions of reduced SHA-1). Then, A. ˜ Joux presented a 4-block full collision of SHA-0 =-=[14]-=-, which is a further improvement of these results. Both these works were made independently of this paper. This paper is organized as follows: In Section 2 we briefly describe MD5. Then in Section 3 w...

...[18] and SHA-1 [12]. MD5 is a hash function designed by Ron Rivest as a strengthened version of MD4 [17]. Since its publication, some weaknesses has been found. In 1993, B. den Boer and A. Bosselaers =-=[3]-=- found a kind of pseudo-collision for MD5 which consists of the same message with two different sets of initial values. This attack discloses the weak avalanche in the most significant bit for all the...